We have the Zimbra Open Source Edition, so we don't actually have Zimbra Mobile. As I understand it, Mobile gets you OTA synchronization of calendars and push mail, but all we want to do is set a WM5 device up as a regular IMAP client using the included Xpressmail software.

At the moment, the best we can get is an error that the device cannot connect. In the zimbra.log file we get the following error every time a connection is attempted to 993/IMAPS:

Now, we are using an internal CA to sign a certificate for this service. We're aware that the root certificate needs to be added to the root store on the WM5 device and we have done that - it shows up in the list, and we can browse secure websites signed by this root. But we still can't connect to Zimbra IMAP.

What should we try next? We are a small organization and at the moment making the leap from the Open version to the Network Pro version with Mobile users is too steep. We have 1 mobile device user that just needs email, not calendar and we aren't interested in paying someone to trust ourselves when we've already got a perfectly good self-signed certificate for this non-public network service.

Are you sure it's your certificate that is in Zimbra ?
Can you "see" it in your webbrowser (with a standard computer, not the device) when you connect to Zimbra in https ?
Does it work when using IMAPS with ThunderBird (from a standard computer) ?

We have not tried Thunderbird, but several of our users use Microsoft Entourage or Apple Mail to send and receive mail through Zimbra without issue. If we add our root certificate to the proper store on each client, no warning messages about unknown signer show up in either of those clients for sending or receiving.